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r. Consultant at Foundstone 

iecializes in Penetration Testing 

irmer developer for DoD on Trickier 
. roject 

Former member of various commercial 
nd DoD Red Teams 
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Credit/Thanks 



xpenence wun rassive i-ios 
Characterization initially developed 
while at G2, www.g2secure.com. 

ion Gula at Tenable for general advice 
and for use of PVS 

The Government (despite being a bit 
difficult) 
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Passive Host Characterization 



WSCTaBgagBBBB 



It's passive so it doesn't cost your network 
anything 

le basic technology is simple 

)tive scanning can be a political nightmare 

HC watches over time; scans are snapshots 

HC can detect problems that active scanning 
nd traditional IDS systems can't 
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Passive Host Characterization 



asic uoncepis: 

assively tap networks 
bserve traffic 

lerver Versions 

client Versions 

■ CP/IP Fingerprints 

DNS Queries 

HTTP Traffic - special emphasis as http tend 
to leak loads of information. 
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Fundamentals 
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P/IP Fingerprints 



ynFP 

rver Strings 
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Fundamentals 



ata 



lient Strings 

JSER-AGENT 
HTTP-REFERER 
Jmewire 
mail clients 



imple protocol - very interesting data 
lore later 
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Fundamentals 



asic uoncepis -- uontinue 

gregate/Reduce/Process Data 

orrelate to known vulnerable 
ipplications 

Datamine (manually or through 
automated scripts) 
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Fundamentals 



)ommodity hardware (I prefer Linux) 



.ibpcap 

lot necessary to keep state 

Memory is a key limitation on many IDS 

ita can be processed AFTER 
collection 
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Known Projects: PVS 



^fcJ^P^P^P vv 



mable Project (Makers of Nessus) 
ignature based 

Tied to Nessus NASL scripts 
iegularly updated 

iigE throughput 

tery good at detecting vulnerabilities 

lackend not readily accessible for custom 
queries 

lexible Rule language - similar to most IDS 
ystems 
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Known Projects: PVS 



ample 
servers 



ruie, looKing Tor 



■t^Vt^vTV 






id=10Q0001 

nid=11414 

hs_sport=143 

name=IMAP Banner 

descrip~io™=An IM? server is running on this port. Its banner is :<br> %L 

risk=NONZ 

ir.atch=OK 

match=IMAP 

ir.atch=server ready 

regex= A . *CK. *IMAP. ^server ready 
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Passive Vulnerability 
Identification 



Vulnerabilities Events Scans Reporting Policies Users Assets Log Out 



Cumulative Vulnerability Data Analysis 
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Customer SN: 10 
Role: manager 



Summary by Vulnerability 



Plug in Total Severity 



03042 



03112 



01515 



01205 



01237 



02123 



02125 



02276 



115 



Low 



Law 



Medium 



Medium 



High 



Medium 



Medium 



Medium 



Medium 



Medii 



Medium 



Medium 



High 



Medium 



Web server type 



Microsoft Webserver Detectto . 



Apache HTTP Smuggling vulner . 



Apache HTTP Smuggling vulner .. 



OpenSSL denial of service 



PHP Remote getimagesize Deni . 



OpenSSL password intercepts .. 



WebDAV enabled 



php4/5 Vulnerabilities 



Apache mod_ssl denial of ser ... 



Apache Input Header Folding , 



AcmeTHTTPD/Mini_HTTPD File . 



ACME Labs thttpd Cross-Site ... 



Acme thttpd/mini_httpd Virtu , 



Apache < 2.0.48 



Apache < 2.0.51 



Apache mod_ss[ Rewrite Rules . 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



Web Servers 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



NeVO) 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticket] [Risk] 



[Ticks 



[Risk] 



[Ticket] [Risk] 
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Known Projects: Trickier 




Source is entirely UNCLASSIFIED 

vw.truststc.org/pubs/256/Berkeley.pdf 



"ww.defenselink.mil/comptroller/defbudg' 
:tp://www. nsa.gov/techtrans/techt00004 
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Known Projects: Trickier 



epanmeni ot Defense Project 

ource is entirely unclassified 

ource is publicly available (Tech 
i ransfer) 

ot signature based 

irabs server/client strings 

ySQL Backend 
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Real World Caoacit 



GigE 



ackbones of major organizations 



.ickler 

" sk the government 

ndace DAG Cards: 

OC-48+ 



bserved at >10Gbs 



'Gbs 
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Finding Vulnerabilities 



ased on Nessus scripts 

ftware Versioning 

Grab Version strings 



ompare version strings 



arsing/Correlating can be difficult 
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Passive Vulnerability 
Identification 

































01237 


2 


Medium 


Apache Input Header Folding ... 


Web Servers (NeVO) 


[Ticket] [Risk] 




02121 


2 


Medium 


Acme THTTPD/Mini_HTTPD File ... 


Web Servers (NeVO) 


[Ticket] [Risk] 






02123 


2 


Medium 


ACME Labs thttpd Cross- Site ... 


Web Servers (NeVO) 


[Ticket] [Risk] 






02125 


2 


Medium 


Acme thttpd/mini_httpd Virtu ... 


Web Servers (NeVO) 


[Ticket] [Risk] 








2 


Low 


Apache < 2.0.43 


Web Servers (NeVO) 










2 


High 


Apache < 2.0.51 


Web Servers (NeVO) 








02276 


2 


Medium 


Apache mod_ssl Rewrite Rules ... 


Web Servers (NeVO) 


[Ticket] [Risk] 





ount 



port returnstring 



18 | 134814731 | 

8 | 134814736 | 

33 | 134814738 | 

4 | 134814754 | 

13 | 134814755 | 

31 | 134814760 | 

66 | 134814761 | 

10 | 134814762 | 

23 | 134814763 | 

16 | 134814771 | 



89 | apache/1.3.37 

80 | apache/1.3.37 

89 apache/1.3.37 

88 [ apache/1.3.37 

89 apache/ 1. 3. 37 
88 apache/1.3.37 
88 apache/1.3.37 
88 apache/1.3.37 
88 apache/1.3.37 
88 apache/1.3.37 
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Host Characterization: Knowing 
Your Network 



,,ars me most common client traffic 
on your network? 



hitcount 

. j 


ip 

L 


| port | string | 

X- - - - - -J- -■ 


131321 


12028920*' 


| 30 


r 1 

| mozilla/5.0 [windows; u; windows nt 5.1; en-us; rv: 1.8. 1.11] gecko/20071127 f irefox/2.0.0. 11 


33253 


12028920!' 


| 80 


| mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:l.B.1.12) gecko/20080201 firefox/2.9.9.12 


19324 


12028920*' 


| 30 


mozilla/4.0 (compatible; msie 7.0; windows nt 6.9; slccl; .net clr 2.0.50727; media center pc 5.0; .net clr 3.0.04506] 


14315 


12028920' i 


| 30 


| mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; svl] 


53BB 


12028920'' 


| 30 


| mozilla/4.0 [compatible; msie 6.9; windows nt 5.1; svl; .net clr 1.1.4322; .net clr 2.0.50727; .net clr 3.0.04506.30; infopath.l] 


5286 


12028920! ' 


| 30 


| mozilla/5.0 (xll; u; linux i686; en-us; rv: 1.8. 1. 12] gecko/20080201 f irefox/2.0.0. 12 


2081 


12028920^' 


| 30 


Shockwave flash 


1650 


12028920' ' 


| 80 


| mozilla/5.0 [windows; u; windows nt 6.9; en-us; rv: 1.8. 1.8) gecko/20071008 f irefox/2.0.0. 8 ;megaupload 1.8 


1121 


12028920'' 


| 30 


itunes/7.6 [windows; u; microsoft windows xp professional service pack 2 [build 2600]) dpi/96 


987 


12028920'' 


| 80 


| mchttp 


865 


12028920^' 


| 30 


microsoft-cryptoapi/6.0 


832 


12028920!' 


| 80 


| itunes/7.6 [windows; n) 



I 
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Servers 



erver i ranic 



^^ 


| 21358E ' ■ 


1 SB 1 


flashcom/2.5.3 


2335 | 
1422 | 


| 348799] 


SB 


apache/1.3.37 (unix) php/4.4.7 


| 119247£ 


80 | 


apache/2.2.6 (unix) dav/2 mod_ssl/2 . 2 . 6 openssl/9 . 9 . 8c php/4.4.7 


14B7 | 


| 1117127*** 


8S 


microsoft-iis/5.0 


1011 | 


| 342318: 


8B | 


apache 


884 | 


| 112363^ t.t 


1 SB | 


gfe/1.3 


8B9 | 


| 128894E •»•» 


1 SB | 


gfe/1.3 


4B8 | 


111398: 


1 SB | 


cafe 


4B6 | 


111712: 


1 8Q | 


microsoft-iis/5.0 


386 | 


| 35B7560H 


1 SB | 


apache 



Foundstone 



Practical Uses: System 
manaaement 
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Practical Uses: Penetration 
Test in 



Pen Tests vary - but some customers 
want testers to represent a stealthy 
attacker such as an insider or 
sophisticated corporate espionage 

Not possible to go slow on typical 
time/budget 

A tool like PHC gives you insider 
information or what you'd learn if you 
went slow for a long period 
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Practical Uses: DNS Exfiltration 

Detection 



requests are generally 
allowed outbound in every enterprise 

Jata can be exfiltrated without 
breaking the protocol. 



•zymandns is publicly available tool 
>ther commercial tools exists 
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Practical Uses: DNS Exfiltration 

Detection 



messages is 
difficult to determine abusive content 

Communication is has identifiable 
characteristics 

Messages tend to be longer 



essages tend to be more frequent 

Messages have high entropy (nightmare 
to store in db) 
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Practical Uses: NAT Detection 



ireiess ina i s are a signmcani an 
present risk to many enterprises 

Port security is difficult across an 
enterprise 

lATs have identifiable characteristics 

lore traffic 

Multiple OS identification 
ross platform services (MS IIS and SSH) 
ross platform browsers 
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Practical Uses: NAT Detection 



EffiF r 




89 | mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv: 1.8. 1. 11) gecko/20071127 firefox/2.0.0. 11 

80 | mozilla/5.0 [windows; u; windows nt 5.1; en-us; rv:1.8.1.12] gecko/20080201 firefox/2.0.0. 12 

88 | mozilla/4.0 (compatible; msie 7.0; windows nt 6.0; slccl; .net clr 2.0.50727; iredia center pc 5.0; .net clr 3.0.04506) 

80 | mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; svl] 

88 | mozilla/5.0 (xll; u; linux i686; en-us; rv:1.8.1.12] gecko/20080201 firefox/2.0.0. 12 

"1 | mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; svl; .net clr 1.1.4322; .net clr 2.0.50727; .net clr 3.0.04506.30; infopath.l] 

| Shockwave flash 

80 | mozilla/5.0 [windows; u; windows nt 6.0; en-us; rv: 1.8. 1.8) gecko/20071008 firefox/2.0.0.8;megaupload 1.8 

i itnnes/7.6 [windows; u; microsoft windows xp professional service pack 2 [build 2600]] dpi/96 







Ip | fpnum | 


1 


count | 










228482 | 


12028929J* | 


2259 | 


97436 | 


120289201 


1383 | 


44978 | 


12028920! 


2935 | 


41588 | 


12028920! • | 


308 | 


26515 | 


12028920! 


1643 | 


5386 | 


12028920M 


2180 | 



747 



12028920* 
12028920! 
12028920! 
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Research Uses: Detecting 

Network Brid 



onsider a host connected to an enterprise network 
and then has an additional unauthorized network 
connection - say EVDO. 

Secondary connection (EVDO) is default gateway 

Normal for bypassing corporate policy 

ost will have notably different characterization: 

No observed external traffic except maybe DNS lookups 
nternal Traffic (corporate web/etc) 
E is latest and greatest (it's patched) 
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Research Uses: Fast Flux 



fcUl WlUfsEiNMJLI: ■ RIS 1138 



tool 

Jses short DNS TTLs to host or proxy 
./ebsites across many infected machines 

ast flux is difficult to block because the 
ites are spread across many IP 
addresses 

~)S/IPS need a signature or IP - thus its 
oo late 
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Research Uses: Fast Flux 



asm IS llin iMsanMimftslSlfs 



characteristics: 

'NS responses with short TTL 

QDN with many IP addresses (though 
'edundant hosts have this too) 

'NS servers where they shouldn't be 



S can sometimes identify same trait 

"alse positives are high 

've never seen an IDS on a > GigE pip 
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Research Uses: Fast Flux 



xample: 



|756 



|1292B9XXXX|H |safe 
|120289XXXY|H |safe 
|129289XXXZ|H |safe 



. com 
.com 
. com 
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Research Uses: Threat Modeling 



re vume 



rest of us 



hat O/S do attacker run? 
hat tools are they using? 



he better you know what your attacker 
looks like the better you can block them 

reate rules based on characteristics rathe 
than IPs - which change more quickly 
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Research Uses: Threat Modeling 






n u 



Detect them before they even attack 



71.]7« mmim .> ka wnnnfl \m 
GET ■■■ ' '■ -''if ■" 



GET •* hi h* .... a*..i . «-■ • *•■■ i.. **•+■■ w-ii i HTTP/1.1. .Host: www.google.com. .User-Agent: Hozilla/5. 
[Xll; U; Linux lb&b; en-Ub; \r.iu.ll] becKo/MimireToMlll.lLAccept: text/xi L , app Lication/xi L , app Lication/xhtil-i-xil , text/htil ; q=e , 9 , text/plain ; q=8 , 8 . iiaqe/png , * 
/*;q=0.5. .Accept-Language: en-us,en;q=@.5. .Accept-Encoding: gzip P deflate. .Accept-Charset : 150-8859-1 , utf -8 ; q=B - 7 , * ; q=8 . 7 . , Keep-Alive : 1,, Connection: keep-alive. Referer: htt 
p : //hmh. google . con/search?hl=en&client=f iref ox-a&rls=org . iozilla%3Aen-U5%3Aof f icial&hs=10Mq=passHord , txt4site%3xyz . coi&tnG=5earch . . Cookie : MB; Cache-Control: max-age=G. . , 
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Research Uses: Borrowing From 
Beale 



ep document insp 

ould we parse documents at network 
speed? 

We can't rebuild the document - too much memory 

Ve can't rebuild the document - we don't keep state 
inyway 



e probably don't need to rebuild the doc 

Ethernet frames are usually 1500B 
robably big enough to grab some meta-data 
: reate a binary trigger and take snapshots 

nough to tie document version/author to IP (maybe?) 
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Future: Network Characterization 



nterprises are often aware o 
"problem" networks 

Incidents trigger identification 
Scanning triggers identification 

malicious networks can be 
characterized. For example: 
Host O/S 

Client Software (old IE) 



Jnneeded services running 
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Future: Losing The Database 



► B 



limitation of large datasets 

Schema and Indexing need to be optimized to 
reasonably perform some queries 

G2 and Lexis Nexus are partnering to use LN's 
technology 

slo indexing required 

Some pre-processing overhead 

/lost queries complete in about the same time as an 
■ndexed DB query 

\nalysts can more easily perform complex queries in ne^ 
vays 



Foundstone 



Conclusion 



can be a powerful tooi . 
simple technology 

Can scale to any enterprise 

'oC Demo Code Available (soon) at 

www.cyberwart.com/phc-demo.tgz 
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Questions 
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